STE WILLIAMS

Win Spectre Laptop with HP and The Register

The US’s National Security Agency (NSA) has issued a document titled The National Security Agency: Missions, Authorities, Oversight and Partnerships (PDF) that explains some of its operations – and includes a claim it “… touches about 1.6 per cent… “ of daily internet traffic and “…only 0.025 per cent is actually selected for review”.

Released on Saturday with little fanfare – albeit amid fresh claims that the spook nerve-centre is scrutinising every email in and out of the US – the document’s prologue explains that the NSA lacked tools to track one of the 9/11 hijackers. As a result “several programs were developed to address the U.S. Government’s needs to connect the dots of information available to the intelligence community and to strengthen the coordination between foreign intelligence and domestic law enforcement agencies”.

It goes on to detail the legal underpinnings of the agency’s work and identify the following methodology for its operations:

1. NSA identifies foreign entities (persons or organizations) that have information responsive to an identified foreign intelligence requirement. For instance, NSA works to identify individuals who may belong to a terrorist network.
2. NSA develops “the network” with which that person or organisation’s information is shared or the command and control structure through which it flows. In other words, if NSA is tracking a specific terrorist, NSA will endeavor to determine who that person is in contact with, and who he is taking direction from.
3. NSA identifies how the foreign entities communicate (radio, e-mail, telephony, etc.)
4. NSA then identifies the telecommunications infrastructure used to transmit those communications.
5. NSA identifies vulnerabilities in the methods of communication used to transmit them.
6. NSA matches its collection to those vulnerabilities, or develops new capabilities to acquire communications of interest if needed.

The money shot comes in a section titled “Scope and Scale of NSA Collection” that reads as follows:

“According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6% of that. However, of the 1.6% of the data, only 0.025% is actually selected for review. The net effect is that NSA analysts look at 0.00004% of the world’s traffic in conducting their mission – that’s less than one part in a million.”

It also means the NSA is “touching” a couple of terabytes a day. And let’s also ponder just what “selected for review” means. Is it reading by humans? Processing by machines? Perhaps the probe launched by President Obama into his spooks’ activities will reveal all.

The NSA would have us believe that whatever’s going on, “NSA personnel are obliged to report when they believe NSA is not, or may not be, acting consistently with law, policy, or procedure”.

“This self-reporting is part of the culture and fabric of NSA,” the document continues. “If NSA is not acting in accordance with law, policy, or procedure, NSA will report through its internal and external intelligence oversight channels, conduct reviews to understand the root cause, and make appropriate adjustments to constantly improve.”

The Reg imagines leakers workings for contractors were not on the NSA’s list of “external intelligence oversight channels”. Whistleblower Edward Snowden thrusting himself into that role may be the reason this document was published. ®

Bootnote

Here at Vulture South we write in a word processor (Lotus Symphony) and then enter the results into The Reg‘s content management system. While cutting and pasting sections of the document into Symphony, we found some oddities.

For example, the list describing the NSA’s methodology, in point 2, looks like this even when pasted unformatted:

We found several such instances throughout the document and imagine it is the NSA’s idea of a joke.

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/nsa_says_it_only_watches_one_point_six_per_cent_of_the_internet/

Win Spectre Laptop with HP and The Register

Google has increased the amount it will pay security researchers for information about flaws in its Chrome browser, having already shelled out more than $2m in bug bounties across its various security reward programs.

“In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000,” Chris Evans and Adam Mein, the Chocolate Factory’s “masters of coin”, wrote in a blog post on Monday.

The higher rewards will be offered to researchers who discover bugs that pose “a more significant threat to user safety,” and who provide an accurate analysis of the threats and how easy they would be for attackers to exploit.

Even with the increased reward amounts, Google will continue to offer additional bonuses for certain types of bug disclosures, such as when a researcher finds a bug in an area of the code that was thought to be stable, or when a bug also has consequences for other software besides Chrome.

The online ad-slinger says it has already paid out more than $1m in bounties through its Chromium Vulnerability Reward Program and its Pwnium competition, plus another $1m or so for its Google Web Vulnerability Reward Program.

The bounties have been good business for some hackers, several of whom have claimed multiple awards. One of the most frequently rewarded Chrome bug hunters, Sergey Glazunov, has claimed bounties totaling more than $150,000 to date.

But then, that’s still peanuts compared to what Google would have to pay Glazunov and his fellow bug-bounty winners to work as security staffers on the Chrome team. In fact, a recent paper published by researchers at the University of California at Berkeley found that over a three-year period, Google’s bug bounty programs cost it less than it would likely have paid a single full-time employee.

In effect, Monday’s rate increase means Google’s crowdsourced, virtual security researcher just got a raise – albeit not a very big one.

Hackers who are interested in cutting themselves a slice of Google’s bug-bounty pie are directed to the company’s guidelines for reward eligibility, as well as to its directions explaining how to do a good job of reporting bugs. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/chrome_bug_bounty_increase/

Win Spectre Laptop with HP and The Register

Electronic BINS in the heart of London must stop tracking hundreds of thousands of passing smartphones, officials have demanded.

A dozen or so high-tech rubbish cans – which display adverts and information on built-in flat-screens and are dotted around the capital’s financial district’s pavements – were set up to collect data from nearby phones.

The recycling bins, operated by Renew London, used Wi-Fi networking to identify devices using their individual MAC addresses, effectively handing over the “proximity, speed … and manufacturer” of the gizmos. MAC addys are unique to each network interface out there, although they can be easily altered by software if one is in the know; the addresses also reveal the maker of the networking chipset.

The company said it used these so-called bin-based ORBs to silently detect 4,009,676 devices in one week, although that really amounts to 530,000 unique phones.

Renew, which said the collected data was “anonymised” before it was analysed, hoped to use this technology to track footfall in shopping areas and perhaps even show tailored adverts to people as they walked by the bins.

But the first pilot testing the Orb system has now been cancelled after The City of London Corporation, which oversees the centre of the Big Smoke, pulled the plug. The authority only found out about the trial when journalists got hold of the study, a source told The Register. A report has also been made to Blighty’s privacy watchdog, the Information Commissioner.

A spokesman for the corporation said: “We have already asked the firm concerned to stop this data collection immediately and we have also taken the issue to the Information Commissioner’s Office. Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public.

“This latest development was precipitate and clearly needs much more thought. In the meantime data collection – even if it is anonymised – needs to stop.”

(Don’t forget that modern smartphone makers already track your movements by default: both Apple and Google already track people through their location services features, although these can be disabled. Unlike the tracking in the bins.)

In a statement, Renew boss Kaveh Memari claimed the reaction to his firm’s technology was blown out of proportion.

He said: “I’m afraid that in the interest of a good headline and story there has been an emphasis on style over substance that makes our technology trial slightly more interesting than it is.

“During our initial trials, which we are no longer conducting, a limited number of pods had been testing and collecting anonymised and aggregated MAC addresses from the street and sending one report every three minutes concerning total footfall data from the sites. A lot of what had been extrapolated is capabilities that could be developed and none of which are workable right now.” ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/spy_bins_scrapped_from_london_streets/

Win Spectre Laptop with HP and The Register

The Pirate Bay has released a bundle of add-ons to help people search for and access bits of the internet that governments and ISPs have locked away. The only hitch is: despite the fact that it contains a Tor client, security experts have said that it doesn’t completely anonymise internet traffic.

This has raised concerns about users’ security.

PirateBrowser, released in celebration of the torrent site’s 10th birthday – and with a bunch of torrent sites already bookmarked, natch – is based on Firefox Portable and comes bundled with proxy-management toolset Foxyproxy and the Tor client Vidalia.

In its FAQ, The Pirate Bay says:

Does it [allow me to] surf the net anonymously?

No, while it uses Tor network, which is designed for anonymous surfing, this browser is intended just to circumvent censorship — to remove limits on accessing websites your government doesn’t want you to know about.

If you are looking for something more secure you may want to try a VPN like PrivacyIO.

Security experts have complained that The Pirate Bay failed to adhere to Tor security protocols, with one observer claiming the new browser was “unsafe”.

The new browser was released on Saturday, the notorious file-sharing site’s 10th anniversary.

The Pirate Bay said: “Do you know any people who can’t access TPB or other torrent sites because they are blocked? Recommend PirateBrowser to them. It’s a simple one-click browser that circumvents censorship and blockades and makes the site instantly available and accessible.”

It added: “This browser is intended just to circumvent censorship — to remove limits on accessing websites your government doesn’t want you to know about.”

But Twitter has erupted in criticism. The Spy Blog, which focuses on security, privacy and surveillance issues, tweeted:

#PirateBay #ThePirateBay don’t touch #PirateBrowser ! Crippled Tor Browser Bundle: no Tor Button, no NoScript, no package Digital Signature

— Spy Blog (@spyblog) August 11, 2013

Jacob Appelbaum, a security bod and a spokesman for the Tor Project, also tweeted:

Piratebrowser seems like they didn’t read the Tor Browser Design documents. It seems unsafe.

— Jacob Appelbaum (@ioerror) August 11, 2013

In an FAQ about the browser, The Pirate Bay reassured torrent-seekers that there were no hidden nasties in their software.

It said: “There have been no modifications to any of the packages used, no adware, Trojans, toolbars, etc. This is simply a tool to help people get around censorship.”

The creators of PirateBrowser lumped the UK and other countries that have issued court orders blocking access to torrent search sites together with international badboys like Iran and North Korea, claiming that nations around the world want to “limit” their citizens’ online access.

TPB described the PirateBrowser thus:

PirateBrowser is a bundle package of the Tor client (Vidalia), FireFox Portable browser (with foxyproxy addon) and some custom configs that allows you to circumvent censorship that certain countries such as Iran, North Korea, United Kingdom, The Netherlands, Belgium, Finland, Denmark, Italy and Ireland impose onto their citizens.

The Pirate Bay has come under attack in recent months, with founder Gottfrid Svartholm Warg sentenced to two years’ imprisonment in Sweden after being found guilty of hacking. ®

* Sites expressing anti-government views or which include “undesirable content”, such as YouTube, are routinely blocked in Iran. VPN services and certain social networking websites are also blocked.

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/pirate_bay_releases_new_privacyminded_browser/

Win Spectre Laptop with HP and The Register

The US’s National Security Agency (NSA) has issued a document titled The National Security Agency: Missions, Authorities, Oversight and Partnerships (PDF) that explains some of its operations – and includes a claim it “… touches about 1.6 per cent… “ of daily Internet traffic and “…only 0.025 per cent is actually selected for review”.

Released on Saturday with little fanfare – albeit amid fresh claims that the spook nerve-centre is scrutinising every email in and out of the US – the document’s prologue explains that the NSA lacked tools to track one of the 9/11 hijackers. As a result “several programs were developed to address the U.S. Government’s needs to connect the dots of information available to the intelligence community and to strengthen the coordination between foreign intelligence and domestic law enforcement agencies”.

It goes on to detail the legal underpinnings of the agency’s work and identify the following methodology for its operations:

1. NSA identifies foreign entities (persons or organizations) that have information responsive to an identified foreign intelligence requirement. For instance, NSA works to identify individuals who may belong to a terrorist network.
2. NSA develops “the network” with which that person or organisation’s information is shared or the command and control structure through which it flows. In other words, if NSA is tracking a specific terrorist, NSA will endeavor to determine who that person is in contact with, and who he is taking direction from.
3. NSA identifies how the foreign entities communicate (radio, e-mail, telephony, etc.)
4. NSA then identifies the telecommunications infrastructure used to transmit those communications.
5. NSA identifies vulnerabilities in the methods of communication used to transmit them.
6. NSA matches its collection to those vulnerabilities, or develops new capabilities to acquire communications of interest if needed.

The money shot comes in a section titled “Scope and Scale of NSA Collection” that reads as follows:

“According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6% of that. However, of the 1.6% of the data, only 0.025% is actually selected for review. The net effect is that NSA analysts look at 0.00004% of the world’s traffic in conducting their mission – that’s less than one part in a million.”

It also means the NSA is “touching” a couple of terabytes a day. And let’s also ponder just what “selected for review” means. Is it reading by humans? Processing by machines? Perhaps the probe launched by President Obama into his spooks’ activities will reveal all.

The NSA would have us believe that whatever’s going on, “NSA personnel are obliged to report when they believe NSA is not, or may not be, acting consistently with law, policy, or procedure”.

“This self-reporting is part of the culture and fabric of NSA,” the document continues. “If NSA is not acting in accordance with law, policy, or procedure, NSA will report through its internal and external intelligence oversight channels, conduct reviews to understand the root cause, and make appropriate adjustments to constantly improve.”

The Reg imagines leakers workings for contractors were not on the NSA’s list of “external intelligence oversight channels”. Whistleblower Edward Snowden thrusting himself into that role may be the reason this document was published. ®

Bootnote

Here at Vulture South we write in a word processor (Lotus Symphony) and then enter the results into The Reg‘s content management system. While cutting and pasting sections of the document into Symphony, we found some oddities.

For example, the list describing the NSA’s methodology, in point 2, looks like this even when pasted unformatted:

We found several such instances throughout the document and imagine it is the NSA’s idea of a joke.

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/nsa_says_it_only_watches_one_point_six_per_cent_of_the_internet/

Win Spectre Laptop with HP and The Register

Analysis The sudden closure of two secure email services may cause many privacy-conscious people to begin looking for alternatives. However, security experts warn that any service provider may be put under pressure to comply with authorities, and this might kill off secure mail as we know it.

Lavabit’s Levison: No more palaver, I’m lathered over {redacted}

The issue has become even more of a hot topic among infosec professionals since Texas-based Lavabit – reportedly NSA whistleblower Edward Snowden’s preferred email provider – announced it was going to roll down the shutter on services on Thursday.

Ladar Levison, the owner of Lavabit, said the firm had “decided to suspend operations” in the face of US legal pressure over recent weeks as an unpalatable but better alternative to becoming “complicit in crimes against the American people”.

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations.

I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on – the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

Levison is careful not to say this directly, but the implication is that he was either served with a court order from the Foreign Intelligence Surveillance Court or a National Security Letter. Both legal documents come with compulsory gag orders. You can see an interview with Nicholas Merrill, one of the few people to win the right to talk about a National Security Letter he was served with, here.)

Man-in-the-middle attack likely only way to get around encryption

Lavabit encrypts stored messages using public key cryptography as well as encrypting the contents of email in transit to guard against eavesdropping. This means that without a customer’s private key nobody – not even Levison – can unscramble message.

This is a marked difference from bigger webmail providers such as Google’s Gmail or Microsoft’s Outlook.com, which hold the keys that would allow them to unscramble messages and turn them over to the authorities, if compelled.

Email stored on Lavabit’s servers was encrypted using asymmetric elliptical curve cryptography, as explained in documents about its architecture. This service was only available to holders of premium accounts (among them, reportedly, Edward Snowden, who was said to have maintained the somewhat prosaic address [email protected]).

The Feds might be seeking to intercept communications in transit between Levabit and its customers using some form of man in-the-middle attack or even seeking to plant government-sanctioned malware, El Reg‘s security desk speculates. If Snowden was the intended target then all sorts of exotic zero-day exploits might have been brought into play.

This is all complete guesswork on our part and all we know for sure is that Lavabit shut itself down to avoid complying with something it found intolerable while it takes its case to the Fourth Circuit Court of Appeals.

The owner of the boutique email service provider said he hoped to relaunch Lavabit in the US providing its pending appeals court case goes its way. It has begun soliciting donations for a legal defence fund.

Levison said the whole experience had taught him a “very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States,” he said.

PGP daddy shuts down new secure email service

Hours later PGP daddy Phil Zimmerman’s Silent Circle said it was shutting down its recently inaugurated email service rather than having to face the possibility of receiving a secret court order in future.

The firm is continuing with its core business of supplying secure messaging and encrypted voice apps for smartphones. But Silent Circle said it had unplugged and wiped its email service even in absence of any search or seizure order from government.

“We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now,” Jon Calls, Silent Circle’s CTO, explains in a blog post. “We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.”

Silent Circle runs its servers in Canada and has plans to expand to Switzerland. For the time being, though, it only has offices in the US and UK. However, despite having a presence outside the US, the owners still decided they wouldn’t able to continue Silent Mail in good conscience.

Any UK firm offering similar services to Lavabit and Silent circle would have to comply with RIPA and any other future local law, such as the Snoopers’ Charter, if it is ever reanimated.

And any service provider in the EU would be obliged to adhere to the Data Retention Directive, which specifies (among other things) that

each [member state’s] authority shall in particular be endowed with investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties.

Setting up a secure ISP in an EU state means living with a regime little more friendly than that which exists in the US.

“All EU member states have to comply with the Data Retention Directive,” Brian Honan, of BH Consulting and founder of Ireland’s CSIRT told El Reg. “Each EU member state will implement the directive differently and will also have their own local laws too.”

Honan said the only secure alternative is a DIY approach using encryption tools such as PGP. And even that approach won’t always work – either due to a failure to use the technology properly or malware infection.

“Use PGP on the desktop as only you have access to your private key. For extra protection keep private key separate from PC,” Honan told El Reg

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/secure_webmail_analysis/

Win Spectre Laptop with HP and The Register

The USA’s National Security Agency (NSA) has issued a document titled ( The National Security Agency: Missions, Authorities, Oversight and Partnerships(PDF) that explains some of its operations and includes a claim it “… touches about 1.6%… “ of daily Internet traffic and “…only 0.025% is actually selected for review.”

Released on Saturday with little fanfare, the document’s prologue explains that the NSA lacked tools to track one of the 9/11 hijackers. As a result “Several programs were developed to address the U.S. Government’s needs to connect the dots of information available to the intelligence community and to strengthen the coordination between foreign intelligence and domestic law enforcement agencies.”

It goes on to explain the legal underpinnings of the Agency’s work and identify the following methodology for its work:

1. NSA identifies foreign entities (persons or organizations) that have information responsive to an identified foreign intelligence requirement. For instance, NSA works to identify individuals who may belong to a terrorist network.
2. NSA develops “the network” with which that person or organisation’s information is shared or the command and control structure through which it flows. In other words, if NSA is tracking a specific terrorist, NSA will endeavor to determine who that person is in contact with, and who he is taking direction from.
3. NSA identifies how the foreign entities communicate (radio, e-mail, telephony, etc.)
4. NSA then identifies the telecommunications infrastructure used to transmit those communications.
5. NSA identifies vulnerabilities in the methods of communication used to transmit them.
6. NSA matches its collection to those vulnerabilities, or develops new capabilities to acquire communications of interest if needed.

The money shot comes in a section titled “Scope and Scale of NSA Collection” that reads as follows:

“According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6% of that. However, of the 1.6% of the data, only 0.025% is actually selected for review. The net effect is that NSA analysts look at 0.00004% of the world’s traffic in conducting their mission – that’s less than one part in a million.”

It also means the NSA is “touching” a couple of terabytes a day. And let’s also ponder just what “selected for review” means. Is it reading by humans? Processing by machines?

The NSA would have us believe that whatever’s going on, “NSA personnel are obliged to report when they believe NSA is not, or may not be, acting consistently with law, policy, or procedure.”

“This self-reporting is part of the culture and fabric of NSA,” the document continues. “If NSA is not acting in accordance with law, policy, or procedure, NSA will report through its internal and external intelligence oversight channels, conduct reviews to understand the root cause, and make appropriate adjustments to constantly improve.”

The Reg imagines leakers workings for contractors were not on the NSA’s list of “external intelligence oversight channels”. Edward Snowden thrusting himself into that role may be the reason this document was published. ®

Bootnote

Here at Vulture South we write in a word processor (Lotus Symphony) and then enter the results into The Reg‘s content management system. While cutting and pasting sections of the document into Symphony, we found some oddities.

For example, the list describing the NSA’s methodology, in point 2, looks like this even when pasted unformatted:

We found several such instances throughout the document and imagine it is the NSA’s idea of a joke.

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/nsa_says_it_only_watches_one_point_six_per_cent_of_the_internet/

Win Spectre Laptop with HP and The Register

Users of Android Bitcoin apps have woken to the unpleasant news that an old pseudo random number generation bug has been exploited to steal balances from users’ wallets.

The Bitcoin Foundation’s announcement, here, merely states that an unspecified component of Android “responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft.”

Such wallets would include Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

The problem is this: the elliptic curve digital signature algorithm – ECDSA – demands that the random number used to sign a private key is only ever used once. If the random number generator is used twice, the private key is recoverable.

This blog post, describing a presentation given at the RSA conference in March, gives a hint at what’s going on. It described how the Java class SecureRandom (used by the vulnerable wallets) can generate collisions for the value r.

Moreover, r collisions appear to have been spotted in the wild as early as January – although the author of that post, Nils Schneider did not link the collision to SecureRandom.

According to The Genesis Block, SecureRandom was flagged by Google’s Mike Hearn as the problem, in an e-mail to Bitcoin developers:

“Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen”.

Hearn says the Bitcoin Wallet app “has been prepared that bypasses the system SecureRandom implementation and reads directly from /dev/urandom instead, which is believed to be functioning correctly. All unspent outputs in the wallet are then respent to this new key.”

Given, however, the prior observations both of Bitcoin signature collisions and SecureRandom problems, The Register has asked Hearn if developers should have been advised to avoid SecureRandom sooner. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/android_bug_batters_bitcoin_wallets/

Win Spectre Laptop with HP and The Register

Admins of Chrome shops unite – your users are dabbling with dodgy SSL, and you must teach them how to be safer online until Google updates its browser.

That’s the gist of a new report from Google researcher Adrienne Porter Felt and University of California, Berkeley graduate student Devdatta Akhawe, who trawled some 25 million data points in a quest to figure out how effective phishing, malware, and SSL warnings are for users of Chrome and Firefox.

The paper in which the flaws are discussed – Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness – will be presented next week at the USENIX Security Symposium 2013 in Washington, DC.

It finds that Chrome could borrow a number of useful traits from Firefox to reduce the rate at which users click through SSL warnings, potentially opening their computers to being compromised.

“Google Chrome users are 2.1 times more likely to click through an SSL warning than Mozilla Firefox users,” the researchers write. They believe this high click-through rate comes from a combination of aesthetics, the storage of user-set SSL exemptions, and different demographics from users of different operating systems.

The report found that Firefox’s use of a stylized policeman combined with the use of the word “untrusted” in the title likely had an effect on stopping users from bypassing the warning.

It also noted that Firefox forces users to make three clicks versus one in Chrome to bypass the warning, and this is likely to have had an effect as well.

However, both browsers have specific technologies that skew their own hit rates up (Google), and down (Firefox).

Chrome, for instance, ships with a technology called “certificate pinning” that skews Google’s click-through rate upward. Pinning adds a list of certificated preloaded HTTP Strict Transport Security sites, such as Google, PayPal, and Twitter, where users cannot click past SSL warnings.

This means that some 20 per cent of all Google Chrome SSL warning impressions are non-bypassable, compared with Firefox’s 1 per cent. Therefore, Firefox users see warnings for sites that Google users do not see, and by not clicking through on these critical warnings, Firefox’s SSL click-through rate is skewed down as compared to Chrome’s.

Further contributing to this is the fact Firefox lets users permanently make exceptions for specific sites also lowered that browser’s SSL click-through rate:

We suspect that people do repeatedly visit sites with warnings (e.g., a favorite site with a self-signed certificate). If future work were to confirm this, there could be two implications. First, if users are repeatedly visiting the same websites with errors, the errors are likely false positives; this would mean that the lack of an exception-storing mechanism noticeably raises the false positive rate in Google Chrome.

Second, warning fatigue could be a factor. If Google Chrome users are exposed to more SSL warnings because they cannot save exceptions, they might pay less attention to each warning that they encounter.

Though these two specific technologies are likely shifting the click-through rates among the surveyed population, that does not account for the yawning gulf in click-throughs between Firefox and Chrome, the researchers write.

In light of the study, Google plans to test an exception-remembering feature in Chrome to halt “warning fatigue” among users and make them more careful when confronted with warnings. It has also begun a series of A/B tests to test the effectiveness of “a number of improvements”.

For the time being, however, it seems the greatest advice an admin can dispense to their users is as familiar as ever: RTFW – Read The Flipping Warning. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/10/chrome_ssl_clickthrough_report/

Win Spectre Laptop with HP and The Register

A LulzSec hacker has been sentenced to a year in a US jail for hacking Sony Pictures and dumping personal information of 138,000 movie fans online.

Raynaldo Rivera, 21, of Tempe, Arizona, will spend 366 days behind bars, followed by 13 months of house arrest and 1,000 hours of community service for his involvement in the infamous hack.

Rivera was further ordered by US District Judge John Kronstadt to pay $605,663 in compensation to Sony’s movie division, a target for hacktivists due to its hardline stance against copyright infringement on file-sharing networks.

The miscreant – known online as “neuron” and a member of hacking crew LulzSec – was sentenced on Thursday after earlier pleading guilty. He admitted compromising Sony’s systems in 2011 and leaking swiped personal information with the help of another LulzSec member. The spilled data included the names, addresses, phone numbers and email addresses of tens of thousands of Sony customers.

The hack was pulled off using a SQL injection attack against the entertainment goliath’s film website.

That other member of LulzSec was Cody Andrew Kretsinger (AKA “recursion”), who was thrown into a federal jail for a year and a day back in April and fined an equal amount for his part in the crime.

Rivera and Kretsinger studied together at the University of Advancing Technology in Tempe, Arizona. Kretsinger joined LulzSec first before recruiting Rivera, according to prosecutors. Neither were part of the core group of six LulzSec hackers – one of whom, Xavier “Sabu” Monsegur, became an FBI informant.

It’s unclear how the FBI-led prosecution of the LulzSec gang caught up with Rivera and Kretsinger, but a tip off by Sabu has to be a possibility. A combination of operational mistakes by the pair and skilled computer forensics is very likely to have played some sort of role.

A Department of Justice statement on Rivera’s sentencing can be found here. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/09/lulzsec_hacker_jailed/